Ken:
I am looking forward to the AHR Expo 2023 Panel on Cybersecurity for BAS Systems on Monday 2/6 at 10:30 am. I see you’re a key presenter. What can you tell me about the session?
Jim:
We’re going to share information about BAS cybersecurity risks and the potential impact to the automation systems that run our critical infrastructure including our buildings.
Cyber attackers have definitely expanded from hacking of websites and business systems. Today, hackers are poking into the realm of industrial automation including building automation systems. That type of hack creates a completely different set of problems to solve. Integrators and engineers are being asked to ensure they’re designing secure systems and to know how to respond if they are attacked.
Ken:
I am hearing from our industry that there’s a lot of interest but also frustration around this topic for BAS because it’s not something typical controls companies have had to deal with much in the past. How will this session help those think about this new business issue they have to deal with?
Jim:
There is some frustration, Operational Technology Cybersecurity is a complex topic with unique challenges compared to securing passwords and personal data. But the BAS industry can’t afford to ignore cybersecurity because not only is the government engaging, we see a lot of corporate boards and underwriters asking for risk analysis and proof of mitigation strategies.
Those of us facilitating this session want to share strategies integrators, OEMs, Consulting Engineers, and Distributors can take now to answer the immediate questions, as well as start to implement long term strategies for dealing with continually emerging issues and developing their business competencies around OT cybersecurity.
Ken:
So how serious of an issue could a cyber attack be coming through a BAS system?
Jim:
Well we continue to add more networked devices that can potentially be accessed from the internet. Consequently, the opportunity for such attacks is increasing. I have personally seen attacks that include everything from ransomware to direct attacks on the control systems themselves including loss of control.
The big difference with operational technology is that losing control can cause the loss of life. I’m not minimizing the impact of data hacks into personal information, but we need to be aware that the impact of loss of control over a system operating critical infrastructure can result in physical damage and potentially death even in buildings.
Ken:
What do you want people at AHR attending this to walk away with after they’ve sat in the session?
Jim:
I would like to see them confident that they have several options to build cybersecurity competencies for their business today.
The session will get into more detail, but the first step is to identify someone in their company – typically one of their best employees – to start training. At ASP, we recommend picking a top employee so that employee can also mentor other team members later that go through the training.
The next step is to enroll that person in the appropriate training. This is also where some in the BAS industry become frustrated, because much of the training available does not address operational technology, and rarely BAS cybersecurity.
ASP has launched a cybersecurity program specifically for operational technology companies like our BAS integrators. It’s open to anyone – integrators, building operators, consulting engineers, and BAS OEMs. We’ll have information at booth C5933 on this, and I’ve included a link to a video people can use to learn more.